InsightCloudSec Software Release Notice - 22.3.2 Minor Release (05/11/2022)

Release Highlights (22.3.2)

InsightCloudSec is pleased to announce Minor Release 22.3.2. This Minor Release includes a new GCP Compliance Pack, “Center for Internet Security (CIS) - GCP 1.3.0”. This release also includes new support for Azure Traffic Manager, expanded support for AWS MSK Serverless, and support for 15 additional GCP Recommenders. In addition, 22.3.2 includes 22 new Insights, three updated Insights (details on two below), one new Query Filter, five updated Query Filters, and 13 bug fixes.

These following Insights have been updated:

• Autoscaling Group Automatic OS Upgrades Enabled to the inverse Autoscaling Group Automatic OS Upgrades Disabled to identify ASGs with upgrades that are disabled.

• Instance Not Configured to Use Default Service Account to the inverse Instance Configured to Use Default Service Account to identify instances that are configured to use the default service account.

For our Cloud IAM Governance  module, we have details around performance improvements to the IAM cache build.

Contact us through the new unified Customer Support Portal  with any questions.

New Permissions Required (22.3.2)

Features & Enhancements (22.3.2)

Center for Internet Security (CIS) - GCP 1.3.0 Release 22.3.2 introduces a new Compliance Pack: Center for Internet Security (CIS) - GCP 1.3.0. The new pack includes just over 20 additional GCP Insights (listed under “Insights” below), as well as additional data properties across several resource types. [ENG-16054]

AWS

• Replaced harvesting of ECR basic findings with gathering of Container Image vulnerabilities using Inspector V2 only. All vulnerability info for container images is now shown in the Vulnerability sidenav; associated columns in the resource listing table (Last Scanned, Finding Count, High, Medium and Low) have been removed. Two Query Filters–Resource Vulnerable To Specific Vulnerability (CVE) and Resource Vulnerability Count have been modified to support the Container Images resource type. [ENG-15814]

• All AWS STS AssumeRole session credentials are now automatically refreshed when the harvester or task takes longer than the expiration time. This behavior is now consistent across all AWS session management. [ENG-12653]

GCP Enabled Dynamic Harvesting for Google Cloud accounts on the Harvesting Strategy Listing page. [ENG-16306]

MULTI-CLOUD/GENERAL

• To reduce confusion, we are hiding the Create Exemptions button when Show exempted resources is selected in the Report Card view of the Compliance Scorecard. [ENG-16373]

• Added the Insight Severity to the Cloud Results worksheet of the Compliance Scorecard export. [ENG-16166]

• Improved the loading times of the Event Driven Harvesting overview page. [ENG-15630]

• Added a setting on the system admin page to generate a message to be displayed on the login screen. Also added the ability to enable/disable the display of this message. [ENG-12485]

• Added Network and Route Table related to the subnet to the Dependencies tab of the resource property panel for private subnets. [ENG-9286]

Resources (22.3.2)

AWS

• Expanded MSK Serverless visibility to now harvest in all supported regions. Additional information on the MSK expanded availability can be found here . [ENG-16193]

AZURE

• We are adding support to the new resource in Azure called Traffic Manager, Azure’s new resource for routing incoming traffic for high performance and availability. This new resource is part of the Network category as a new resource type Traffic Manager.  A new permission is required: “Microsoft.Network/trafficManagerProfiles/read”. [ENG-14511]

GCP

• Added support for additional GCP Recommenders into the Recommendations/Recommendation Findings resource types. Added a new Query Filter Service Role with Recommendation attached (GCP) to support this capability. Newly supported types are [ENG-15549]:

  • ‘google.cloudsql.instance.IdleRecommender’,
  • ‘google.cloudsql.instance.OutOfDiskRecommender’,
  • ‘google.cloudsql.instance.OverprovisionedRecommender’,
  • ‘google.compute.address.IdleResourceRecommender’,
  • ‘google.compute.commitment.UsageCommitmentRecommender’,
  • ‘google.compute.disk.IdleResourceRec,
  • ‘google.compute.image.IdleResourceRecommender’,
  • ‘google.compute.instance.IdleResourceRecommender’,
  • ‘google.compute.instance.MachineTypeRecommender’,
  • ‘google.compute.instanceGroupManager.MachineTypeRecommender’,
  • ‘google.iam.policy.Recommender’,
  • ‘google.logging.productSuggestion.ContainerRecommender’,
  • ‘google.monitoring.productSuggestion.ComputeRecommender’,
  • ‘google.resourcemanager.projectUtilization.Recommender’,
  • ‘google.run.service.IdentityRecommender’

• Note: Either of these roles–recommender.cloudsqlViewer or cloudsql.viewer are recommended to access the permissions required for these new recommenders. In InsightCloudSec you will need to have the Recommender API enabled (as listed here ) the specific required permissions are:

  • recommender.computeAddressIdleResourceRecommendations.list
  • recommender.computeDiskIdleResourceRecommendations.list
  • recommender.computeImageIdleResourceRecommendations.list
  • recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
  • recommender.computeInstanceIdleResourceRecommendations.list
  • recommender.computeInstanceMachineTypeRecommendations.list
  • recommender.loggingProductSuggestionContainerRecommendations.get
  • recommender.loggingProductSuggestionContainerRecommendations.list
  • recommender.monitoringProductSuggestionComputeRecommendations.get
  • recommender.monitoringProductSuggestionComputeRecommendations.list
  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentRecommendations.get
  • recommender.spendBasedCommitmentRecommendations.list

Insights (22.3.2)

• Autoscaling Group Automatic OS Upgrades Disabled - Updated Insight reworked and renamed from Autoscaling Group Automatic OS Upgrades Enabled. Note: Insight now looks for Autoscaling Groups with automatic OS upgrades disabled. [ENG-16310]

• Database Instance/Database Cluster Affected By AWS Security Bulletin - AWS-2022-004 - Updated Insight renamed from AWS Security Bulletin - AWS-2022-004 - Information Exposure from RDS Service Credentials for clarity. [ENG-15761]

• Instance Configured to Use Default Service Account - This Insight was updated and renamed (from Instance Not Configured to Use Default Service Account) to identify instances that are configured to use the default service account. [ENG-16054]

• The following new Insights were created as a part of the new Compliance Pack, “Center for Internet Security (CIS) - GCP 1.3.0”. [ENG-16054]:

  • Cloud Account Without Cloud Asset Inventory Enabled
  • Cloud Dataset Without Customer Managed Key
  • Database Instance Flag '3625 (trace flag)' Enabled
  • Database Instance Flag 'cross db ownership chaining' Enabled
  • Database Instance Flag 'external scripts enabled' Enabled
  • Database Instance Flag 'log_checkpoints' Disabled
  • Database Instance Flag 'log_duration' Disabled
  • Database Instance Flag 'log_error_verbosity' Set Incorrectly
  • Database Instance Flag 'log_executor_stats' Enabled
  • Database Instance Flag 'log_hostname' Disabled
  • Database Instance Flag 'log_min_error_statement' Not Set Appropriately
  • Database Instance Flag 'log_min_messages' Not Set Appropriately
  • Database Instance Flag 'log_parser_stats' Enabled
  • Database Instance Flag 'log_planner_stats' Enabled
  • Database Instance Flag 'log_statement' Not Set Appropriately
  • Database Instance Flag 'log_statement_stats' Enabled
  • Database Instance Flag 'remote access' Enabled
  • Database Instance Flag 'skip_show_database' Disabled
  • Instance Without Confidential Computing Enabled
  • Map Reduce Cluster Without Customer Managed Key
  • Network Without DNS Logging Profile
  • Serverless Function With Secret In Environment Variables

Query Filters (22.3.2)

AWS

• Database Instance/Database Cluster Affected By AWS Security Bulletin - AWS-2022-004 - This updated Query Filter was renamed from AWS Security Bulletin - AWS-2022-004 - Information Exposure from RDS Service Credentials for clarity and consistency with QF naming conventions. [ENG-15761]

• Instance Security Group Allows Access From Unknown Public IP - Expanded Query Filter now works with AWS MQ and DynamoDB Clusters. [ENG-11349]

• Resource Vulnerability Count - This Query Filter updated to support the Container Images resource type. [ENG-15814]

• Resource Vulnerable To Specific Vulnerability (CVE)- This Query Filter updated to support the Container Images resource type. [ENG-15814]

GCP

• Service Role with Recommendation attached (GCP) - New Query Filter supports additional GCP Recommenders in the Recommendations/Recommendation Findings resource types. [ENG-15549]

MULTI-CLOUD/GENERAL

• Instance Running Unapproved Image (Regex/Age) Updated Query Filter to add an option “not_match”. This allows matching of image names which do not match the supplied expression. [ENG-13048]

Bug Fixes (22.3.2)

• [ENG-16395] Fixed a bug where removing a custom Insight from a custom pack deletes that Insight.

• [ENG-16349] We have updated several Bot actions so that they follow the intended behavior of removing scheduled events prior to their execution when a resource transitions from non-compliant to compliant. For example, if a message is scheduled via the Bot action “Publish to Notification Topic With Target” about a resource that is non-compliant and – before the scheduled message is sent – the resource becomes compliant, the scheduled delivery of the message will be removed.

• [ENG-16327] Fixed a bug with Query Filters Content Delivery Network With/Without Region Specific Geo Restriction Block and Content Delivery Network With/Without Region Specific Geo Restriction Allow to ensure all regions specified are accounted for in the query.

• [ENG-16316] Fixed a bug where a credential health check mistook the expiration on AWS AssumeRole credentials and preemptively disabled the account.

• [ENG-16218] Fixed a bug related to “Read the Docs” links from the Insights page.

• [ENG-16213] Fixed a bug with Web Application Firewall (WAF) harvester.

• [ENG-16194] Fixed a bug that prevented the use of the Bot action “Cleanup Resource Access Policy” on AWS Glacier resources.

• [ENG-15715] Fixed AWS Content Delivery Network Resources in IaC for compatibility with Exemption Rules. Exemption Rules will now check against CloudFront Distributions’ CFT logical IDs and Terraform addresses, rather than the domain at which they serve content.

• [ENG-15566] Fixed a bug in the action “Remove Tags From Resource” when the Case Sensitive option is enabled.

• [ENG-15390] Fixed an issue where AWS GovCloud accounts were showing an impaired visibility icon after the IncompletePermissionsScan processor ran.

• [ENG-14567] Fixed edge case where Organizations created based on other Organizations created duplicate global packs/Insights.

• [ENG-12653] Fixed a bug involving AWS STS AssumeRole session credentials failing when the harvester or task took longer than the expiration time. This behavior is now consistent across all AWS session management.

• [ENG-10246] Fixed a bug that prevented the inspection of Threat Finding details on an individual resource through the property panel.

Cloud IAM Governance (Access Explorer) Updates - 22.3.2 Minor Release (05/11/2022)

Cloud IAM Governance Features & Enhancements (22.3.2)

• Made performance improvements to IAM cache build. [ENG-16319, ENG-16267]